A security flaw in a hi-tech chastity belt for men made it possible for hackers to remotely lock all the devices in use simultaneously.
The internet-linked sheath has no manual override, so owners might have been faced with the prospect of having to use a grinder or bolt cutter to free themselves from its metal clamp.
Mr Lomas' team flagged the issue to Qiui in May, after which it updated its app as well as the server-based application programming interface (API) involved.
But it still left an earlier version of the API online, meaning those who had not downloaded the latest version of the app theoretically remained at risk.
Pen Test Partners sent follow-up emails urging this to be addressed and involved the news site Techcrunch to help press for action.
Techcrunch said Qiui's chief executive subsequently told it he had tried to tackle the issue but added: "When we fix it, it creates more problems."
Five months on from first getting in touch, the UK security team decided to go public.
"Given the trivial nature of finding some of these issues and that Qiui is working on another internal device, we felt compelled to publish," Mr Lomas said.